Wired reports that researchers have discovered that some malware designed to reside in a PC’s firmware – the embedded software that starts a computer and loads its operating system – can also work in Apple’s Macintosh systems.

“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” says Xeno Kovah, one of the researchers who designed the worm. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

The emphasis is mine.

The researchers created a proof-of-concept worm called Thunderstorm 2 that can hop from Mac to Mac, even if the machines aren’t networked, by hiding in the chips in smart peripherals:

An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.

When another machine is booted with this worm-infected device inserted, the machine firmware loads the option ROM from the infected device, triggering the worm to initiate a process that writes its malicious code to the boot flash firmware on the machine. If a new device is subsequently plugged into the computer and contains option ROM, the worm will write itself to that device as well and use it to spread.

This should make you think twice about borrowing someone’s adapter cable.

Hackers are already taking advantage of a security flaw discovered just last week in the latest version of OS X, 10.10.4. The same flaw apparently still exists in beta versions of 10.10.5, but has been locked down in early releases of the upcoming El Capitan, or 10.11, writes Dan Goodin of Ars Technica. The problem comes from a new error-logging system introduced in 10.10 Yosemite:

On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file.

It’s not clear if the malware can be placed from an infected website, a process known as a “drive-by” infection. But most Mac users have seen come-ons for the MacKeeper junkware, and enough of them fall for it that the software’s still out there. It would be fairly easy for an evildoer to mimic those ads to place the compromised version on clueless users’ systems.